Re: Memory corruption in 8390.c ?

[Ben Pfaff]

Alan Cox <alan@xxxxxxxxxxxxxxxxxxx> writes:

> --- drivers/net/8390.c~	2006-06-21 17:41:12.006145536 +0100
> +++ drivers/net/8390.c	2006-06-21 17:41:12.007145384 +0100
> @@ -275,12 +275,14 @@
>  	struct ei_device *ei_local = (struct ei_device *) netdev_priv(dev);
>  	int send_length = skb->len, output_page;
>  	unsigned long flags;
> +	char buf[64];
> +	char *data = skb->data;
>  
>  	if (skb->len < ETH_ZLEN) {
> -		skb = skb_padto(skb, ETH_ZLEN);
> -		if (skb == NULL)
> -			return 0;
> +		memset(buf, 0, ETH_ZLEN);	/* more efficient than doing just the needed bits */
> +		memcpy(buf, data, ETH_ZLEN);

Is this really correct?  It zeros out ETH_ZLEN bytes only to
immediately copy over all of them again.

>  		send_length = ETH_ZLEN;
> +		data = buf;
>  	}
>  
>  	/* Mask interrupts from the ethercard. 
> @@ -347,7 +349,7 @@
>  	 * trigger the send later, upon receiving a Tx done interrupt.
>  	 */
>  	 
> -	ei_block_output(dev, send_length, skb->data, output_page);
> +	ei_block_output(dev, send_length, data, output_page);
>  		
>  	if (! ei_local->txing) 
>  	{


-- 
Ben Pfaff 
email: blp@xxxxxxxxxxxxxxx
web: http://benpfaff.org

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/